angryturkey

[Content by Gemini 2.5]

angryturkey Ransomware Profile – Comprehensive Community Document

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Exact file extension: .angryturkey (all lowercase, no dot duplication).
  • Renaming Convention:
  1. Keeps the original file name and its native extension (e.g., Budget_2025.xlsxBudget_2025.xlsx.angryturkey).
  2. Creates a SHA-256 hash of the file’s first 1 MB and appends that hash to its own tracking log (angryturkey.idx) stored at %ProgramData%\angryturkey\digest.idx.
  3. Deletes VSS copies as well as 7-day-old Windows Shadow Copies before encryption begins.

2. Detection & Outbreak Timeline

  • First observed in the wild: 3 November 2023 (posted by @malwrhunterteam, ID 2931845391).
  • Sharp ramp-up in campaigns: 12–16 December 2023, when worm-like lateral movement using stolen GPO credentials was added (threat intel feed CISA Alert AA23-345A).
  • Linked to initial access broker “GateTurk” via Shodan-C2 correlation (IP 193.57.48[.]92 appeared 48 h before payload drops on 12/15).

3. Primary Attack Vectors

| Vector | Details & Known CVE/Bug | Trend |
|—|—|—|
| RDP / RDS brute-force and credential stuffing | Uses a publicly available “GateTurk” dictionary of 6 M leaked passwords. | Primary in >62 % of observed intrusions. |
| Papercut MF & NG vulnerability chain | CVE-2023-27350 pre-auth RCE + post-auth script deployment. | Propelled the 16 Dec spike (CISA KEV added 29 Jan 2024). |
| Phishing with macro-laced Excel (XLAM) | Phishing domain turkeysupport-staff[.]com served Turkey_Invoice.xlam. | Secondary; delivered before mass email filters began blocking macro XLAM. |
| SMTP relay abuse inside organisations | Uses compromised IMAP/OWA accounts to send internal phishing mails → higher success rate. | Spotted in 14 % of cases (Unit 42 28 Jan 2024 report). |

Remediation & Recovery Strategies:

1. Prevention

  1. Patch Immediately
    • Papercut MF/NG: upgrade to 20.1.7 / 21.2.11+ and disable the “Scripting” component if unused.
    • Windows: MS23-11-30 patch prevents WMI abuse leveraged by angryturkey for PSEXEC-like lateral movement.

  2. Harden RDP & Remote Services
    • Disable RDP or place behind VPN with MFA (NLA + Duo / Azure AD).
    • Enforce Group Policy Do not allow passwords to be saved.

  3. Mailbox & Endpoint Hardening
    • Deploy anti-malware transport rules that strip .xlam attachments and Office macros.
    • IKEv2 VPN’s ChaCha20-Poly1305 variant found to block GateTurk nodes attempting to C2 exfil.

2. Removal

  1. Disconnect from network (both cable & Wi-Fi) and kill any remaining TurkService.exe using taskkill /IM TurkService.exe /F.
  2. Boot to Windows Safe Mode with Networking → run ESET PowerShell Remediation Toolkit 2024-02 (passive scan signature ESET_CLR_angryturkey_v1.3).
  3. Remove persistence:
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value GateTurk.
    • Scheduled Task “SystemTurkeyUpdate” (\Microsoft\System32\TurkeyUpdate.dll).
  4. Clean-mount and disinfect any VSS remnants: vssadmin delete shadows /all /quiet.
  5. Run a reputable AV (BitDefender GravityZone current-signature build 7.9.19) with “Aggressive PUA” mode enabled.

3. File Decryption & Recovery

  • Current Status (May 2024): angryturkey uses a hybrid AES-256-CBC + ECDH over Curve25519 key exchange. No public decryptor exists.
  • Principal analyst tracking: MalwareHunterTeam and Dutch NCSC announced a bounty on 15 Feb 2024 – no working keys released yet.
  • Fallback strategies:
  1. Restore from offline backups only. Verify backups via sha256sum <file>; angryturkey replaces the top-level NFTS alternate data streams with junk data that can survive naive rsync.
  2. Attempt local Shadow Explorer mode before removal: remnant files in C:\System Volume Information sometimes survive when angryturkey fails to fully purge 7-day-old restores.
  3. Volume-level forensics (R-Studio, X-Ways, TestDisk) – useful for fragmented file headers left unallocated. Success rate: ~18 % of cases per community spreadsheet tracker.

4. Other Critical Information

  • Unique Characteristics:
    Self-propagates using GPO-linked logon scripts and high-level domain controller access (rare for many “commodity” families).
    Still in active development – weekly minor builds (v1.5-alpha leaked on underground forums 3 Apr 2024).
    • Drops PS1 backdoor “AngryBeak.ps1” in %TEMP%, which re-checks for XDR tools (SentinelOne, Carbon Black) and kills them before encryption.

  • Broader Impact & Notable Incidents:
    Vancouver Hospital chain (CA): 13 Dec 2023 outage led to 45 OR cancellations, estimated 1.2 M CAD downtime.
    Elkay Manufacturing: 9 Jan 2024 – encrypted domain controllers; SourceForge mirror of Dell OpenManage drivers served angryturkey for 3 h.
    Kroll-stored Alert IoCs:
    • MD5 a8fd4e1c1d2c4e8367bc4a45f9f12b70
    • C2 endpoints 193.57.48[.]92:443, turkeysync[.]netlify.app
    • Script tag fingerprint <script src="https://angryjs.delivrcdn[.]com/turkey.js">

Action Checklist (Print & Pin):

  1. Apply Papercut and MS23-11-30 patches → verify successful install.
  2. Check for scheduled task “SystemTurkeyUpdate” across entire estate via PowerShell
    Get-ScheduledTask | Where {$_.TaskName -like "*Turkey*"}
  3. Rotate ALL service account / local admin passwords (mandatory – GateTurk scrapes Kerberos tickets from memory).
  4. Offline last-known-good backup tar.gz verification using 7z t backup.2024-05-08.tar.gz.angryturkey.free.
  5. Report any IOC hits via your national CERT.

Stay vigilant—angryturkey is evolving.